Washington educational resource

Washington SaaS Terms: A Drafting Checklist with Washington-Specific Overlays

SaaS terms of service are mostly a contract-drafting exercise: subscription mechanics, acceptable use, IP, warranty disclaimer, liability cap, dispute resolution. Washington adds three statutory overlays that any SaaS company selling into Washington should understand: the Consumer Protection Act in Chapter 19.86 RCW, the My Health My Data Act in Chapter 19.373 RCW, and the data breach notification statute in Chapter 19.255 RCW. This guide walks through the drafting checklist with the Washington overlays called out where they actually change the analysis.

Last legally reviewed: 2026-05-17. Citations verified against Chapter 19.86 RCW, Chapter 19.373 RCW, and Chapter 19.255 RCW.

Quick answer

A SaaS terms package selling into Washington should include solid baseline terms (subscription, auto-renewal, acceptable use, AI features, warranty disclaimer, liability cap, dispute resolution), and three Washington-specific overlays: a Consumer Protection Act risk review of marketing and auto-renewal practices, a My Health My Data Act analysis if the product touches any consumer health data, and an incident response plan tied to Chapter 19.255 RCW.

SaaS terms drafting checklist

1. Subscription and auto-renewal

Clear billing cadence (monthly, annual, multi-year) with stated price.
Auto-renewal disclosure: how renewal happens, what notice is given, how the user cancels, and the cancellation deadline relative to the renewal date.
Pro-rata or no-refund policy on mid-term cancellation, clearly stated.
Price-increase mechanism on renewal with advance notice.

State and federal auto-renewal caution. State and federal auto-renewal rules may apply depending on customer location and transaction structure. The federal Restore Online Shoppers' Confidence Act (ROSCA), the FTC's Negative Option Rule developments, and state-specific auto-renewal statutes (California's Automatic Renewal Law is the best-known) often impose specific disclosure, consent, and cancellation requirements. Washington's Consumer Protection Act in Chapter 19.86 RCW can be the enforcement vehicle for deceptive or unfair auto-renewal practices targeting Washington consumers. Do not assume that satisfying one state's auto-renewal statute satisfies the rest.

2. Acceptable use

Prohibited content (illegal, infringing, defamatory, malware, child sexual abuse material per federal law).
Prohibited conduct (interference with the service, automated scraping outside published APIs, reverse engineering).
Account suspension and termination rights for breach.
Cooperation with lawful process and platform safety obligations.

3. Data processing

Clear delineation of controller and processor roles (or business and service provider under California law).
Data processing addendum (DPA) for B2B customers handling personal data.
Sub-processor list and notice mechanism.
Cross-border transfer mechanism where applicable.
Customer audit rights, scoped to be workable for a SaaS provider.

4. AI features

Clear disclosure that AI features may produce inaccurate, incomplete, or misleading output.
User obligation to verify AI output before relying on it.
Training data policy: whether customer inputs and outputs are used for model training, with opt-out for B2B.
IP ownership of AI-generated output, with appropriate carve-outs and disclaimers.
If the product is used by lawyers, doctors, or other regulated professionals, layered disclaimers on practice-specific output.

5. User uploads and content

User license to the SaaS provider to host, process, and display user content.
User representation that they have the rights to upload the content.
DMCA notice-and-takedown process for U.S. operations.
Retention and deletion practices.

6. Warranty disclaimers

"As is" and "as available" disclaimers.
Disclaimer of merchantability, fitness for a particular purpose, and non-infringement, in CAPS or otherwise conspicuously displayed.
Carve-out for any express service-level commitments the SaaS actually makes.

7. Liability cap

Cap usually expressed as fees paid in the prior 12 months.
Exclusion of indirect, consequential, special, incidental, and punitive damages.
Carve-outs for indemnity obligations, IP infringement, confidentiality breach, and gross negligence or willful misconduct.
Drafting note: an unconscionable cap can be invalidated, and a cap that purports to immunize a party from intentional misconduct is generally not enforceable.

8. Arbitration and dispute resolution

Mandatory arbitration with a chosen forum and rules.
Class action waiver.
Mass arbitration protocol (batching, bellwether process).
Carve-outs for small claims and equitable relief.
30-day informal dispute resolution period before arbitration.

9. Venue and governing law

Choice of law (typically the SaaS provider's home state or a neutral commercial state like Delaware).
Choice of forum.
Note that consumer-protection statutes in the user's home state may still apply regardless of the chosen governing law.

10. Privacy interaction

The terms of service should reference the privacy policy and any data processing addendum. Conflicts between the documents are a fertile source of litigation, so use cross-references and one canonical version for each topic.

Washington overlay 1: Consumer Protection Act (Chapter 19.86 RCW)

The Washington Consumer Protection Act, Chapter 19.86 RCW, prohibits unfair or deceptive acts or practices in the conduct of any trade or commerce. The private cause of action under RCW 19.86.090 allows a successful plaintiff to recover actual damages, treble damages up to a statutory cap, attorney fees, and an injunction. The five elements of the private CPA claim (per Washington case law applying Hangman Ridge Training Stables v. Safeco Title Ins. Co.) are an unfair or deceptive act, in trade or commerce, that affects the public interest, causes injury to the plaintiff's business or property, and is causally linked.

For SaaS founders, the practical CPA exposures cluster around marketing claims that overstate features, hidden auto-renewal practices, dark-pattern cancellation flows, and material omissions in onboarding. The CPA is the enforcement vehicle the Washington Attorney General most often uses against consumer-facing SaaS practices, and it is also the private plaintiff's preferred theory because of the fee-shift and treble damages.

Washington overlay 2: My Health My Data Act (Chapter 19.373 RCW)

The Washington My Health My Data Act, Chapter 19.373 RCW, regulates the collection, use, sharing, and sale of consumer health data by regulated entities. It applies broadly to any consumer health data (not just HIPAA-covered data), and it covers a much wider universe of products than founders expect: wellness apps, fitness trackers, period and fertility trackers, mental health tools, AI symptom checkers, sleep apps, and any SaaS that infers health-related information from user inputs or device signals.

Key obligations under the Act include:

Consumer health data privacy policy disclosures.
Affirmative, opt-in consent before collecting or sharing consumer health data, with detailed disclosure of categories and purposes.
Stricter "valid authorization" for any sale of consumer health data.
Consumer rights of access, deletion, and withdrawal of consent.
Restrictions on geofencing around health care facilities.
A private right of action through the Consumer Protection Act for violations.

The private right of action through the CPA is the part most SaaS founders miss. A My Health My Data Act violation does not just trigger AG enforcement; it can also trigger CPA-style private litigation with fee-shifting and treble damages. If a product touches anything that could be characterized as health, wellness, fitness, mental health, or symptom-related data on Washington residents, this statute should be on the legal review list.

Washington overlay 3: Data breach notification (Chapter 19.255 RCW)

Washington's data breach notification statute, Chapter 19.255 RCW, imposes notification obligations when there is a breach of system security involving personal information of Washington residents. Key features that SaaS founders should bake into their incident response plan and customer contracts:

A defined set of data categories qualifying as "personal information" under the statute.
An encryption / secured-data safe harbor where the data was encrypted and the decryption mechanism was not also acquired.
Consumer notice obligations on a defined timeline.
Attorney General notification for breaches affecting more than 500 Washington residents, no more than 30 days after the breach is discovered.
Defined content requirements for the AG notice.

For a full walkthrough of the statutory definitions, encryption safe harbor, timing, and the comparison to California's notification regime, see my Washington Data Breach Notification Guide.

Washington legal leverage

For a SaaS company selling into Washington, the highest-leverage drafting work is at the intersection of these three statutes. The CPA is a private fee-shifting statute with treble damages; the My Health My Data Act incorporates the CPA as its private enforcement vehicle; the data breach statute creates an AG notification obligation that almost always becomes public. A SaaS terms package that addresses all three with the actual statutory text in mind is materially more defensible than a generic SaaS template that ignores them.

SaaS founder checklist for Washington

Terms of service drafted against the SaaS checklist above.
Privacy policy that addresses Washington-resident rights and discloses any consumer health data collection.
Auto-renewal flow reviewed against state and federal auto-renewal rules.
Data processing addendum for any B2B customer handling personal data.
Incident response plan with a documented AG notification path under Chapter 19.255 RCW.
If health, wellness, or symptom-related data is in play: a My Health My Data Act compliance assessment, including consent flow, geofencing, and the valid authorization for any sale.
Marketing review for CPA risk on any "no commitment," "cancel anytime," "free trial," or auto-renewal claims.

Service packages

Privacy policy review. Existing privacy policy reviewed against Washington, California, and federal expectations. Typical engagement: $500. Best for SaaS companies with a privacy policy in place that has not been reviewed in 12+ months.

SaaS legal package. Custom SaaS terms of service plus privacy policy plus data processing addendum, drafted against the founder's actual product and customer base, with the Washington overlays integrated. Typical engagement: $1,500 to $3,500 depending on complexity (AI features, regulated industry, multi-tenant enterprise contracts).

Related resources

For SaaS-focused intake, see my SaaS contracts intake. For California parallels, see the California Privacy Hub and SaaS Legal Package Hub. For the breach-notification deep dive, see my Washington Data Breach Notification Guide. For more formation context, see the Washington Business Law hub.

Get a Washington-aware SaaS legal package

Currently educational only on Washington-specific representation. Contract drafting, privacy policy review, and SaaS package work can be handled now under my California license with explicit Washington-coverage disclaimers, calibrated to Chapter 19.86 RCW, Chapter 19.373 RCW, and Chapter 19.255 RCW. To request a custom quote or to join the Washington availability list, email me directly.

Request SaaS package quote Join the Washington availability list Schedule a $125 strategy call (CA-licensed)

Educational content only. Sergei Tokmakov is a California attorney (CA Bar #279869) currently seeking admission to the Washington State Bar. This page does not create an attorney-client relationship and is not Washington legal advice.